Meger Waterfall
Security Overview
Law firms' client data is some of the most sensitive information that exists. For this reason, privacy and security are and always will be our top priority. This principle underlies every decision we make in designing, building and scaling MergerWaterfall. In addition to keeping your data safe, we are also committed to providing transparency and control over how your data is collected, used and retained.
Security Controls
Data Segregation: MergerWaterfall processes and hosts data from uploaded files from attorneys in the operation of a deal. These files are stored locally on the attorney’s computer, and are encrypted in transit and at rest to prevent unauthorized access. Once the attorney is finished working, the finalized data from are uploaded to our cloud infrastructure (see below), where they are stored and processed by back-end infrastructure and AI models. There, we maintain segregated storage for each firm and for each waterfall with separate information for each client of the law firm. This ensures that data about a specific deal is ring-fenced and there is no risk of contamination between different deals managed on our platform. As a consequence this ensures that data from a firm is ring-fenced and there is no risk of contamination between deals managed by different firms.
Cloud Infrastructure: Our cloud infrastructure is deployed, hosted and maintained onVercel. We take advantage of Vercel's advanced security measures including comprehensive network and application firewall protections. Additionally, their strict adherence to global privacy standards and ongoing security monitoring provides further protection against unauthorized access. Vercel adheres to various compliance standards, including:
- • SOC 2 Type 2 attestation for Security, Confidentiality, and Availability
- • ISO 27001:2013 certification
- • GDPR compliance
- • PCI DSS compliance support
- • HIPAA compliance support (for enterprise customers)
- • EU-U.S Data Privacy Framework certification
Responsible AI
We use AI models to review uploaded documents to parse identifiable information to assist the attorney in filling in MergerWaterfall projects. We only use foundation models backed by enterprise-caliber privacy and security standards. Your firm's data is never retained by these models nor is it used to update these models. MergerWaterfall also does not cross-train models between firms, meaning that your data will only ever be used to improve your service and will not be used in any other firm. This effectively eliminates any risk of data leakage via the model's outputs.
Data Ownership
We believe that firms should have the right to determine when and how their data is collected, used, and retained. We use your data only in very limited ways. First, to deliver the service requested — that is, generating automated time entries. Second, our systems learn from any edits you make to your time entries so that we can deliver better outputs in the future (this information is user-specific, and is never shared across firms). Third, we hope to be able to use your time logs to deliver other useful features in the future — but only with your explicit consent. We also give firms the ability to set custom retention periods, ranging from daily to indefinite retention.
Policies & Governance
Privacy and security measures are only as good as the policies and controls that underpin them. We take a number of measures identified as industry best practices to ensure the highest caliber of compliance.
- • Role-Based Access Controls: Ensure data accessibility is limited to authorized personnel only.
- • Login Security with MFA: Add an additional layer of authentication for robust protection.
- • System Monitoring and Audit Logs: Maintain vigilance over activities for enhanced security and compliance.
- • Adaptive Policy Updates: Modify strategies in response to evolving cyber threats and industry standards.
- • External Compliance Audits: Conduct regular evaluations to ensure adherence to regulatory requirements and identify improvement opportunities.
- • Staff Training: Continuously enhance knowledge with cybersecurity best practices.
Responsible Vulnerability Disclosure
Responsible Vulnerability Disclosure At MergerWaterfall, we take the security of our systems and applications seriously. We welcome reports of potential security vulnerabilities from ethical security researchers and members of the security community. If you believe you have found a security vulnerability in any of our products or services, please report it to us via email at security@mergerwaterfall.com. Read more about our Responsible Vulnerability Disclosure Policy here.